Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”

For Ars, three crackers have at 16,000+ hashed passcodes—with 90 percent success.

Thanks to the XKCD comic, every password cracking word list in the world probably has correcthorsebatterystaple in it already.

Aurich Lawson

In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.

Imagine no more. We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.

The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash—for instance, they must guess that "5f4dcc3b5aa765d61d8327deb882cf99" and "7c6a180b36896a0a8c02787eeafb0e4c" are the MD5 hashes for "password" and "password1" respectively. (For more details on password hashing, see the earlier Ars feature "Why passwords have never been weaker—and crackers have never been stronger.")

While Anderson's 47-percent success rate is impressive, it's miniscule when compared to what real crackers can do, as Anderson himself made clear. To prove the point, we gave them the same list and watched over their shoulders as they tore it to shreds. To put it mildly, they didn't disappoint. Even the least successful cracker of our trio—who used the least amount of hardware, devoted only one hour, used a tiny word list, and conducted an interview throughout the process—was able to decipher 62 percent of the passwords. Our top cracker snagged 90 percent of them.

The Ars password team included a developer of cracking software, a security consultant, and an anonymous cracker. The most thorough of the three cracks was carried out by Jeremi Gosney, a password expert with Stricture Consulting Group. Using a commodity computer with a single AMD Radeon 7970 graphics card, it took him 20 hours to crack 14,734 of the hashes, a 90-percent success rate. Jens Steube, the lead developer behind oclHashcat-plus, achieved impressive results as well. (oclHashcat-plus is the freely available password-cracking software both Anderson and all crackers in this article used.) Steube unscrambled 13,486 hashes (82 percent) in a little more than one hour, using a slightly more powerful machine that contained two AMD Radeon 6990 graphics cards. A third cracker who goes by the moniker radix deciphered 62 percent of the hashes using a computer with a single 7970 card—also in about one hour. And he probably would have cracked more had he not been peppered with questions throughout the exercise.

The list of "plains," as many crackers refer to deciphered hashes, contains the usual list of commonly used passcodes that are found in virtually every breach involving consumer websites. "123456," "1234567," and "password" are there, as is "letmein," "Destiny21," and "pizzapizza." Passwords of this ilk are hopelessly weak. Despite the additional tweaking, "p@$$word," "123456789j," "letmein1!," and "LETMEin3" are equally awful. But sprinkled among the overused and easily cracked passcodes in the leaked list are some that many readers might assume are relatively secure. ":LOL1313le" is in there, as are "Coneyisland9/," "momof3g8kids," "1368555av," "n3xtb1gth1ng," "qeadzcwrsfxv1331," "m27bufford," "J21.redskin," "Garrett1993*," and "Oscar+emmy2."

A screenshot showing a small sampling of cracked passwords.

As big as the word lists that all three crackers in this article wielded—close to 1 billion strong in the case of Gosney and Steube—none of them contained "Coneyisland9/," "momof3g8kids," or the more than 10,000 other plains that were revealed with just a few hours of effort. So how did they do it? The short answer boils down to two variables: the website's unfortunate and irresponsible use of MD5 and the use of non-randomized passwords by the account holders.

Life in the fast lane

"These are terrible passwords," radix, who declined to give his real name, told Ars just a few minutes into run one of his hour-long cracking session. "There's probably not a complexity requirement for them. The hashing alone being MD5 tells me that they really don't care about their passwords too much, so it's probably some pre-generated site."

Like SHA1, SHA3, and most other algorithms, MD5 was designed to convert plaintext into hashes, also known as "message digests," quickly and with a minimal amount of computation. That works in the favor of crackers. Armed with a single graphics processor, they can cycle through more than eight billion password combinations each second when attacking "fast" hashes. By contrast, algorithms specifically designed to protect passwords require significantly more time and computation. For instance, the SHA512crypt function included by default in Mac OS X and most Unix-based operating systems passes text through 5,000 hashing iterations. This hurdle would limit the same one-GPU cracking system to slightly less than 2,000 guesses per second. Examples of other similarly "slow" hashing algorithms include bcrypt, scrypt, and PBKDF2.

The other variable was the account holders' decision to use memorable words. The characteristics that made "momof3g8kids" and "Oscar+emmy2" easy to remember are precisely the things that allowed them to be cracked. Their basic components—"mom," "kids," "oscar," "emmy," and numbers—are a core part of even basic password-cracking lists. The increasing power of hardware and specialized software makes it trivial for crackers to combine these ingredients in literally billions of slightly different permutations. Unless the user takes great care, passwords that are easy to remember are sitting ducks in the hands of crackers.

What's more, like the other two crackers profiled in this article, radix didn't know where the password list was taken from, eliminating one of the key techniques crackers use when deciphering leaked hashes. "If I knew the site, I would go there and find out what the requirements are," he said. The information would have allowed radix to craft custom rule sets targeted at the specific hashes he was trying to crack.

482 Reader Comments

The xkcd example is poor, the states level of entropy is "ideal" not "real". If I have a 100,000 word dictionary then each word represents about 10 bits of entropy, however people do not pick random words, they pick words they know and the average person uses about 1/5th of a dictionary.

If you had a dictionary with only 20000 words in it, would all the words you chose be in the dictionary? If the answer is yes then your entropy calculation is against the smaller dictionary.

Phrases and random words are NOT the answer to good passwords.

I've been wondering about this. The cracker implied that the xkcd solution is a good one since s/he was excited about "getting around it". So what's the bottom line on the xkcd solution? Is a list of real words other people haven't put together already a decent password or not?

The xkcd example is poor, the states level of entropy is "ideal" not "real". If I have a 100,000 word dictionary then each word represents about 10 bits of entropy, however people do not pick random words, they pick words they know and the average person uses about 1/5th of a dictionary.

If you had a dictionary with only 20000 words in it, would all the words you chose be in the dictionary? If the answer is yes then your entropy calculation is against the smaller dictionary.

Phrases and random words are NOT the answer to good passwords.

I've been wondering about this. The cracker implied that the xkcd solution is a good one since s/he was excited about "getting around it". So what's the bottom line on the xkcd solution? Is a list of real words other people haven't put together already a decent password or not?

If your choice distribution is uniform across the dictionary (eg by using dice to pick the words from a dictionary) then the xkcd solution attains its 'ideal' entropy bound, and it's as safe as the calculations say.

If not (I'm sure the distribution over words people think about when they think they're picking one at 'random' is far from uniform) then the real entropy is that of the 'human' choice distribution. If the attacker can approximate the 'human' distribution he is bounded by the 'real' entropy.

In the example given, the number of guesses was "only" the square of 100 million, or 10 ^ 16.

Four english words would be the the quad(?) of 100,000 (a lowball estimate to the number of words in the English language), or 10 ^ 20; it would take 10,000x the time.

If the combinator attack took an hour the xkcd combinator attack would take a year.

Now, if you really were paranoid and didn't care so much about the problem of passwords being hard to remember (let's say it's one you use every day) you could easily make things several times more complicated through substitutions, making a similar technique take 1,000 years instead...

The number of people who read this article and completely missed the key points of it is astounding.

The three subjects in the article only used pure brute force attacks where it made sense - i.e. where they could be done quickly. Beyond that they used attacks based on human tendencies and pattern analysis that essentially targeted the attacks where they were likely to produce the best results.

They subjects in the article weren't trying to get my, truly random, 16 character LastPass vault password. They were going for the low hanging fruit, so to speak.

The same thing that makes the majority of passwords weak - human behavior - will also make most pass phrases weak.

The pass phrases typical users create:- will contain usage patterns that can be detected and exploited.- won't use the entire name space, The pool of words used will likely be less than 10,000 instead of greater than 100,000. Let's face it, most people know the word 'onomatopoeia' but no one is putting it in a pass phrase. They are going to use basic, working vocabulary words like house, cove, Audi, sunset, etc...- will be used for login at multiple sites, making dictionary attack possible.

Ok, say there are... I don't know 800 really common words. So what's the possible combinations of a 4 word passphrase there? Some hundred billion sized number?Of course, 800 is a really small word space.

A simple solution limits hacking to <30 second window but corporate irresponsibility doesn't jump on board.

I lived in China for a period and had a HSBC bank account in Hong Kong. First thing they handed me after opening it was hand me an authenticator. Same Verisign ones that you can buy from PayPal and even Star Wars The Old Republic game. Blizzard's group of games have a slightly different look but it's still from the same company Masco to supply their gamers authenticators.

Back on topic, I return to North America and not a single bank offers this security. No other corporation offers this security. This has ties to much more personal data and finance and no one is offering this level of security and it's pennies on the dollar. Just flat out irresponsibility on their part and month after month more and more major corporations get hacked and exposes all of our data to nefarious types to use as they please.

Simply put, adding the authenticator connected to our online login presence cuts access of a hacker to a <30 seconds. Not unlimited freedom to make all the attempts they like as it is now. Why gaming companies are more proactive than our corporate banks confuses me. Games are a pastime hobby vs our actual hard earned cash and personal value. it must recieve the higher priority of protection than a gaming hobby.

Ok, say there are... I don't know 800 really common words. So what's the possible combinations of a 4 word passphrase there? Some hundred billion sized number?Of course, 800 is a really small word space.

It is. log2(dictionary_size)*words_in_passphrase/log2(96) will give you an easy comparison to full ASCII random passwords - in this case it's equivalent to 5.86 symbol pass. You can check the graph in this article to get a feel of how easy it is to bruteforce.

a) use bigger dict, b) use true random, c) throw in a bit or two of extra randomness with spacing and punctuation. You can check out Diceware for all these three, for example.

While I agree this is another interesting article by Goodin, it's sad to see the mass downvoting of posts which point out the fact that the weakness of the (obsolete) MD5 was key to the high success rate of cracking in a such a short amount of time. Can we seriously not allow any legitimate questions to be raised about the methodology without treating them as trolling? Get a grip.

Why the focus on MD5 when SHA1, SHA3 and the vast majority of other hash functions are just as unsuitable for password storage?

It's a fact that a large number of sites continue to use these hashes, despite the very clear benefits of using something like bcrypt. Witness breaches of HB Gary, LinkedIn, eHarmony, and LivingSocial, to name a very small few.

I'm not sure why these comments are getting downvoted. I suspect it's because people recognize complaints about attacking a list of MD5 hashes is a side show and largely beside the point. Ars will stop picking lists with weak hashes when the vast majority of sites stop using the underlying functions. In the meantime, please direct your complaints to sites that continue to put their users at risk because they don't use slow hash functions.

FYI, while going through my lastpass account I found that Chase (of the Amazon credit card) validates entered passwords irrespective of the capitalization of the letters entered. Not quite as bad as some bank's 8 character limit, but certainly some hit to security Amazon would probably be surprised to see associated with their name.

It's important to remember - passwords can only be cracked at anything like this speed where the entire, or a portion of, the password database has been stolen.

That is a rare situation. Hackers couldn't get into your Gmail account, or Facebook using these techniques unless there are breaches there (unlikely, but possible).

This is because it takes a web server maybe a second to receive a login attempt - then tell the user it failed. On top of this most login systems will slow things down further if there are too many failed login attempts.

So while it is good to try and have secure passwords - and ultimately a password manager, or 2 factor authentication may be the answer - we're not in as much trouble as it would appear.

Yeah, something like this would never happen to a big-name site with lots of users...

You cannot and should not trust any site with protecting your password unless you know how they store it internally, who has access, and how secure their network is. Since no site gives this out, you have to assume they use fast hashes and may have their DBs compromised at some point. The only countermeasure you can take is to use a strong password to minimize the chance that yours will be one of the ones cracked.

Would this not be almost impossible to crack, even if I use MD5 and the original password is dead simple?

If I know HOW you're manufacturing your hashes (and if I stole your db, let's assume I stole your code as well) that's equivalent to no salt. I can run the attack in parallel against all your hashes just as if you were using plain ol' md5.

Security by obscurity is a bad idea, as has been proven time and again. When designing crypto, you'd best assume the attacker knows EVERYTHING you know about the crypto method.

I read a while ago that the strongest passwords that are easy to remember are in the form of sentences. Not like the one in the example, but by taking the first one or two letters of each word in the sentence and using that to form a password. For instance:

7lBhts6Coetws comes from sentence: "7 little Bunnies have to share 6 Carrots or else they would starve."

Or

imM:)2hswC!"It makes Me happy to have such wonderful Children! "

even

2b?on2b?titq "To be, or not to be? That is the question." Can have strength until it gets thrown into a dictionary.

These password types are highly memorable and highly random. No need for a password manager. Coming up with personal conventions such as capitalizing nouns or only two letter words or always including vowels that are the 2nd letter in a word also makes it more unique.

I read a while ago that the strongest passwords that are easy to remember are in the form of sentences. Not like the one in the example, but by taking the first one or two letters of each word in the sentence and using that to form a password. For instance:

7lBhts6Coetws comes from sentence: "7 little Bunnies have to share 6 Carrots or else they would starve."

Or

imM:)2hswC!"It makes Me happy to have such wonderful Children! "

even

2b?on2b?titq "To be, or not to be? That is the question." Can have strength until it gets thrown into a dictionary.

These password types are highly memorable and highly random. No need for a password manager. Coming up with personal conventions such as capitalizing nouns or only two letter words or always including vowels that are the 2nd letter in a word also makes it more unique.

Something that is more unique to you that no one is going to think of out of the blue. I think they are the best right now and easier to remember. Although wordlist and crackers are starting to learn through database dumps how people make some of these passwords and are making smarter guessing problems that can come up with complete sentences. But that will have to be a lot of guesses .

In the example given, the number of guesses was "only" the square of 100 million, or 10 ^ 16.

Four english words would be the the quad(?) of 100,000 (a lowball estimate to the number of words in the English language), or 10 ^ 20; it would take 10,000x the time.

If the combinator attack took an hour the xkcd combinator attack would take a year.

Now, if you really were paranoid and didn't care so much about the problem of passwords being hard to remember (let's say it's one you use every day) you could easily make things several times more complicated through substitutions, making a similar technique take 1,000 years instead...

The number of people who read this article and completely missed the key points of it is astounding.

The three subjects in the article only used pure brute force attacks where it made sense - i.e. where they could be done quickly. Beyond that they used attacks based on human tendencies and pattern analysis that essentially targeted the attacks where they were likely to produce the best results.

They subjects in the article weren't trying to get my, truly random, 16 character LastPass vault password. They were going for the low hanging fruit, so to speak.

The same thing that makes the majority of passwords weak - human behavior - will also make most pass phrases weak.

The pass phrases typical users create:- will contain usage patterns that can be detected and exploited.- won't use the entire name space, The pool of words used will likely be less than 10,000 instead of greater than 100,000. Let's face it, most people know the word 'onomatopoeia' but no one is putting it in a pass phrase. They are going to use basic, working vocabulary words like house, cove, Audi, sunset, etc...- will be used for login at multiple sites, making dictionary attack possible.

Ok, say there are... I don't know 800 really common words. So what's the possible combinations of a 4 word passphrase there? Some hundred billion sized number?Of course, 800 is a really small word space.

The quick-and-dirty way to calculate password entropy is this:Take the number of possible words/letters (depending on if you're choosing a random collection of words or a random collection of characters) and raise them to the power of the number of letters/words in your phrase.

So, with 800 words to choose from, and a phrase 4 words long, you'd have 800^4 combinations, or 409 600 000 000. At a million guesses per second, that phrase would last about two and a half days (you take the time required to try every combination and divide it by two to get the average time it'd take).

However, the problem is that even with 800 words to chose from, some will be picked more often than others and certain ones will be more likely to follow others and so-on. The answer is to not pick the words yourself, but to use a computer program with a large dictionary and have it select them for you at random. That way you up the number of possible words hugely and ensure that your built-in bias towards certain ones doesn't matter.

So yeah, the XKCD style passphrase is very secure if, and only if, you use a truly random method to select your words from a large dictionary. Any other method is very vulnerable to falling into predictable patterns that can be exploited.

If you use Dropbox to sync a password manager file, you're taking risks that you really oughtn't. I hesitate to say it would be retarded, but I think I just said it.

There... fixed it. (Uploading it as a hidden volume within a Truecrypt container using a cascade AND keyfiles is of course qualitatively different and way less retarded).

While I, like many, many others, do in fact maintain TrueCrypt enclosures on our DropBox folders (and back up my "high security"* KeePass db in one of them), please educate me on exactly what can go wrong w/my non TC-encrypted KeePass db (the "low security" one) that I also sync on DrobBox. For that matter, what exactly would someone do w/the copy that sits on my keychain's flash stick if someone would steal that? Or if I decided to mail a copy of it to all my friends and family across the globe, just for the hell of it, what could any of them do with it? Because if they can crack an AES/Twofish encrypted file, we have far, far bigger problems than how to manage secure passwords.

(*FWIW, I maintain 2 levels of KeePass dbs because I use the less secure one on devices that I may stupidly leave unattended while the db is open.)

FYI, while going through my lastpass account I found that Chase (of the Amazon credit card) validates entered passwords irrespective of the capitalization of the letters entered. Not quite as bad as some bank's 8 character limit, but certainly some hit to security Amazon would probably be surprised to see associated with their name.

Damn it, and I thought it was only E*Trade. I'll have to go through my financial accounts again and see who else ignores caps. At least, I haven't found any that truncates strings.

I read a while ago that the strongest passwords that are easy to remember are in the form of sentences. Not like the one in the example, but by taking the first one or two letters of each word in the sentence and using that to form a password. For instance:

7lBhts6Coetws comes from sentence: "7 little Bunnies have to share 6 Carrots or else they would starve."

Or

imM:)2hswC!"It makes Me happy to have such wonderful Children! "

even

2b?on2b?titq "To be, or not to be? That is the question." Can have strength until it gets thrown into a dictionary.

These password types are highly memorable and highly random. No need for a password manager. Coming up with personal conventions such as capitalizing nouns or only two letter words or always including vowels that are the 2nd letter in a word also makes it more unique.

It's a nice theory, but I remain unconvinced that it's as secure as it seems.

See, in theory, picking five words off the top of your head results in a password that could never be cracked. However, people show a strong bias towards picking familiar words, and so if you do the picking yourself you end up with a trivially easy to crack passphrase.

Sentences are even worse, since they have to follow set rules, and grabbing only the initial letter of a word is worse still, since English has a heavy bias towards putting certain letters at the start of words, further reducing the potential keyspace.

Now, are these problems enough to make these passwords vulnerable? I don't know enough of the math to say, but I'd be very leery of trusting such a method. Plus, after you've added all the transform rules and such, you end up with something very hard to remember. Why not just use a simple password manager and have it generate the passwords for you? It's immensely more secure and you don't run the risk of forgetting them ever.

A simple solution limits hacking to <30 second window but corporate irresponsibility doesn't jump on board.

I lived in China for a period and had a HSBC bank account in Hong Kong. First thing they handed me after opening it was hand me an authenticator. Same Verisign ones that you can buy from PayPal and even Star Wars The Old Republic game. Blizzard's group of games have a slightly different look but it's still from the same company Masco to supply their gamers authenticators.

Back on topic, I return to North America and not a single bank offers this security. No other corporation offers this security. This has ties to much more personal data and finance and no one is offering this level of security and it's pennies on the dollar. Just flat out irresponsibility on their part and month after month more and more major corporations get hacked and exposes all of our data to nefarious types to use as they please.

Simply put, adding the authenticator connected to our online login presence cuts access of a hacker to a <30 seconds. Not unlimited freedom to make all the attempts they like as it is now. Why gaming companies are more proactive than our corporate banks confuses me. Games are a pastime hobby vs our actual hard earned cash and personal value. it must recieve the higher priority of protection than a gaming hobby.

Actually, a number of US tech/IT companies were using those over a decade ago for employee VPN access, but after the fiasco where one of those systems was cracked and the number generation routine was exposed, they may have fallen a bit out of favor. Perhaps with a stronger system they are, or will, make a comeback. Or perhaps they've continued to use them all along, I haven't really kept up. Either way it's nothing new or novel, but perhaps the concept of using them for personal banking has been rejected due to cost. Yes, I agree with you, but we all know they just care about the bottom line and risk analysis might say one thing but their bean counters probably said another.

Will somebody please explain how having the hashes in hand allows hackers to login to a site? I agree that it's useful for getting access to a WiFi using a weak WEP2 PW, but how does it serve someone trying to log in to an account?

Doesn't the website expect a password based login? From there it computes the hash to compare against the account's hashed login. Having the hash should only hash to something else entirely.

If so, then the endless attempts to log in would take time. Lot's of time. And well designed logins only allow x attempts or simply increase the time between attempts for each failed one.

Will somebody please explain how having the hashes in hand allows hackers to login to a site? I agree that it's useful for getting access to a WiFi using a weak WEP2 PW, but how does it serve someone trying to log in to an account?

Doesn't the website expect a password based login? From there it computes the hash to compare against the account's hashed login. Having the hash should only hash to something else entirely.

If so, then the endless attempts to log in would take time. Lot's of time. And well designed logins only allow x attempts or simply increase the time between attempts for each failed one.

What am I missing?

If you have the hashes from a website then you can hash possible passwords until you find one that generates a hash on the list you got from the website. Now you know what that password was.

With password managers, what do you do when you're on a company computer that's not yours and that doesn't have internet access, and you don't have privileges for installing personal applications.

How do you retrieve your 45-characters-long password to access the external hard drive you just plugged in? Oh and you don't have your smartphone, nor would you be willing to type those characters one by one anyway.

With password managers, what do you do when you're on a company computer that's not yours and that doesn't have internet access, and you don't have privileges for installing personal applications

I run KeePass portable from a thumb drive, and also have KeePassDroid on my phone, either one of which can retrieve my passwords from anywhere..

Quote:

How do you retrieve your 45-characters-long password to access the external hard drive you just plugged in? Oh you don't have your smartphone nor would you be willing to type those characters one by one.

I suspect in that case you're pretty much screwed for the time being.

Well, yes, if you discount all potential solutions ahead of time then there is no solution. But a 45-character password is overkill (anything above 20 characters is far too complex to effectively ever be hacked) and I've copied out 20-character random passwords by hand a few times. It's not actually all that hard to do.

With password managers, what do you do when you're on a company computer that's not yours and that doesn't have internet access, and you don't have privileges for installing personal applications.

How do you retrieve your 45-characters-long password to access the external hard drive you just plugged in? Oh and you don't have your smartphone, nor would you be willing to type those characters one by one anyway.

I suspect in that case you're pretty much screwed for the time being.

If I have no internet access and my smartphone isn't on me - why would I be worried about not having access to my LastPass database? If I can't even get to any of my online accounts to begin with, not having access to my passwords for said online accounts is a moot point.

2b?on2b?titq "To be, or not to be? That is the question." Can have strength until it gets thrown into a dictionary.

These password types are highly memorable and highly random. No need for a password manager. Coming up with personal conventions such as capitalizing nouns or only two letter words or always including vowels that are the 2nd letter in a word also makes it more unique.

Agreed - you may want to see my earlier post on the matter, about halfway down the page. You'll find it here.

Will somebody please explain how having the hashes in hand allows hackers to login to a site? I agree that it's useful for getting access to a WiFi using a weak WEP2 PW, but how does it serve someone trying to log in to an account?

Doesn't the website expect a password based login? From there it computes the hash to compare against the account's hashed login. Having the hash should only hash to something else entirely.

If so, then the endless attempts to log in would take time. Lot's of time. And well designed logins only allow x attempts or simply increase the time between attempts for each failed one.

What am I missing?

If you have the hashes from a website then you can hash possible passwords until you find one that generates a hash on the list you got from the website. Now you know what that password was.

Okay - that implies a website weakness. How difficult is it for a website to keep the hashes secure? Wouldn't they set up a separate server (if only in a virtual machine) to confirm login's without possibility of the hashes being available to suck out? This isn't that hard? Is it? Really?

How does a cracker know he correctly recovered the plaintext password from the hash? Does he run it back through the hash function and see if he gets the same result? Also how does he know which hash function he's dealing with anyway if all he has is a list of hashes?

1. You know you have the "right" password of the 'n' potential sources for a hash by using it. But, in practice, unless you want to use the cracked password on another site, it doesn't matter if you have the "right" password, just one of the ones that hash out the same. If you want to use the password on another site, the "right" one is likely to be the one you found using dictionary/pattern attacks, as a user using the same password across the board is not likely to be coming up with a highly secure password to begin with.

2. No, he ran it through the hash in the first place. That's how it was cracked.

3. You guess the hashing algorithm (meaning, iterate across a long list of potential algorithms for the site) and run a scan for "easy" passwords. Most any site with a large number of users will have one or two dolts who don't understand how to create a reasonably-secure password. Once you find a value for "password1" in a particular hashing recipe, you can be fairly confident that that is the hashing recipe used on the site. Of course, it's not a given that the hashing recipe is constant across users, but there is something in the account which will determine the specific hashing recipe and any salts.

The quick-and-dirty way to calculate password entropy is this:Take the number of possible words/letters (depending on if you're choosing a random collection of words or a random collection of characters) and raise them to the power of the number of letters/words in your phrase.

So, with 800 words to choose from, and a phrase 4 words long, you'd have 800^4 combinations, or 409 600 000 000. At a million guesses per second, that phrase would last about two and a half days (you take the time required to try every combination and divide it by two to get the average time it'd take).

Two and a half days is a good bit of time unless someone really, really cares. But like I said, 800 is a very small word space.

Quote:

However, the problem is that even with 800 words to chose from, some will be picked more often than others and certain ones will be more likely to follow others and so-on. The answer is to not pick the words yourself, but to use a computer program with a large dictionary and have it select them for you at random. That way you up the number of possible words hugely and ensure that your built-in bias towards certain ones doesn't matter.

So yeah, the XKCD style passphrase is very secure if, and only if, you use a truly random method to select your words from a large dictionary. Any other method is very vulnerable to falling into predictable patterns that can be exploited.

Of course they will, just like people are going to make passwords they can remember.

2b?on2b?titq "To be, or not to be? That is the question." Can have strength until it gets thrown into a dictionary.

These password types are highly memorable and highly random. No need for a password manager. Coming up with personal conventions such as capitalizing nouns or only two letter words or always including vowels that are the 2nd letter in a word also makes it more unique.

It's a nice theory, but I remain unconvinced that it's as secure as it seems.

See, in theory, picking five words off the top of your head results in a password that could never be cracked. However, people show a strong bias towards picking familiar words, and so if you do the picking yourself you end up with a trivially easy to crack passphrase.

Sentences are even worse, since they have to follow set rules, and grabbing only the initial letter of a word is worse still, since English has a heavy bias towards putting certain letters at the start of words, further reducing the potential keyspace.

I'd have to disagree. While finding the distribution of initial letters of words in all of English is trivial (see this chart on Wikipedia here), I think you'll find that the frequency of initial letters in the sample of any given short passphrase is not going to necessarily correlate very well with the frequency across the entire language. I give a sample of how this works and how to mitigate it in my original post on the subject.

I read a while ago that the strongest passwords that are easy to remember are in the form of sentences. Not like the one in the example, but by taking the first one or two letters of each word in the sentence and using that to form a password. For instance:

7lBhts6Coetws comes from sentence: "7 little Bunnies have to share 6 Carrots or else they would starve."

Or

imM:)2hswC!"It makes Me happy to have such wonderful Children! "

even

2b?on2b?titq "To be, or not to be? That is the question." Can have strength until it gets thrown into a dictionary.

These password types are highly memorable and highly random. No need for a password manager. Coming up with personal conventions such as capitalizing nouns or only two letter words or always including vowels that are the 2nd letter in a word also makes it more unique.

The problem with these password rules is you'll make a rule like this and then encounter sites that won't accept certain punctuation or won't allow a number in the first spot, blowing your standard rule with exceptions. After you collect more than a half dozen exceptions you'll start writing them down somewhere....

In the example given, the number of guesses was "only" the square of 100 million, or 10 ^ 16.

Four english words would be the the quad(?) of 100,000 (a lowball estimate to the number of words in the English language), or 10 ^ 20; it would take 10,000x the time.

If the combinator attack took an hour the xkcd combinator attack would take a year.

Now, if you really were paranoid and didn't care so much about the problem of passwords being hard to remember (let's say it's one you use every day) you could easily make things several times more complicated through substitutions, making a similar technique take 1,000 years instead...

The number of people who read this article and completely missed the key points of it is astounding.

The three subjects in the article only used pure brute force attacks where it made sense - i.e. where they could be done quickly. Beyond that they used attacks based on human tendencies and pattern analysis that essentially targeted the attacks where they were likely to produce the best results.

They subjects in the article weren't trying to get my, truly random, 16 character LastPass vault password. They were going for the low hanging fruit, so to speak.

The same thing that makes the majority of passwords weak - human behavior - will also make most pass phrases weak.

The pass phrases typical users create:- will contain usage patterns that can be detected and exploited.- won't use the entire name space, The pool of words used will likely be less than 10,000 instead of greater than 100,000. Let's face it, most people know the word 'onomatopoeia' but no one is putting it in a pass phrase. They are going to use basic, working vocabulary words like house, cove, Audi, sunset, etc...- will be used for login at multiple sites, making dictionary attack possible.

Ok, say there are... I don't know 800 really common words. So what's the possible combinations of a 4 word passphrase there? Some hundred billion sized number?Of course, 800 is a really small word space.

Stop being brute force centric.

Pure brute force attacks become daunting really fast. For 9 character passwords, from a 95 character set, it's conceivable to brute force the entire space with today's tech. At 10 characters it becomes a daunting task - probably still in the realm doable for entities with access to Titan like resources though.

But by the time you get to 12 characters the task is virtually impossible for anyone. At 1 trillion guess per second the average time to crack a random 12 character password is over 850 years. Can even Titan do 1 trillion MD5 hashes per second?

Look at the screen shot on page 1 of some of the passwords recovered - specifically the length of many of the passwords recovered. Most of them were more than 10 characters long. Virtually none of those were gotten via a pure brute force attack. Hackers have already conceded that pure brute forcing is a dead end approach.

I'm not sure I completely understand what's safe and not safe anymore. I've read that long sentences with a few symbols and number is very secure, but this article seems to imply that even those would be easily crackable.

Would this be simple or tough to crack?

PASSWORD:

You never know what to choose for a password?"94

Of course it's simple, you just posted it on the Internet!

Seriously, though: common phrases are already in those dictionaries, including musings on choosing a password (now there might be one more in somebody's dict thanks to you). And as this article says, [dictionary entry] + [3-4 random chars] is also a common cracking strategy.

Yes, but it still has relatively high entropy. Given the length of this password (48 characters), even with a phrase dictionary, it *seems* it would still take a long time to crack. Could this be cracked in mere days?

2b?on2b?titq "To be, or not to be? That is the question." Can have strength until it gets thrown into a dictionary.

These password types are highly memorable and highly random. No need for a password manager. Coming up with personal conventions such as capitalizing nouns or only two letter words or always including vowels that are the 2nd letter in a word also makes it more unique.

The problem with these password rules is you'll make a rule like this and then encounter sites that won't accept certain punctuation or won't allow a number in the first spot, blowing your standard rule with exceptions. After you collect more than a half dozen exceptions you'll start writing them down somewhere....

I think I'd either a) choose a passphrase that meets my rules and the site's or b) not use the site. That way I'm always consistent.

I'm not sure I completely understand what's safe and not safe anymore. I've read that long sentences with a few symbols and number is very secure, but this article seems to imply that even those would be easily crackable.

Would this be simple or tough to crack?

PASSWORD:

You never know what to choose for a password?"94

Simpler than 9 random words by quite a bit (there exist passphrase guessers that work off of common grammatical rules and words that commonly go together and such) but probably secure enough. A naive calculation says that it's got roughly (1000^9)*42^3 variations, or 74 088 000 000 000 000 000 000 000 000 000, which is well outside of brute-force territory (2-and-a-bit quadrillion years to definitely brute force at a billion guesses per second). However, clever use of Markov chains and the like might drop that significantly, and I don't know by how much.

That's the question. If it drops it to two weeks, then that's more than enough for most website passwords. But if it drops it to 20 hours, then it's a poor password.

Does anyone have an educated guess?

I've also seen it suggested that you simply take the first letter of each word to create a 9 character password instead. Is that really more secure? It seems to have very low entropy and as a result is much more susceptible to brute-forcing. http://www.antiscamnews.com/creating-strong-passwords/

For example, "Pa$$w0rd01" will fool most all password strength meters, because all the math sees is "10 chars long, three numbers, one uppercase, two special characters" and reports it will take 238402348 years to crack. It's assuming the best possible password with this combination of characters, instead of the worst possible password with this combination of characters.

Ultimately it is because they are doing two different things. Brute forcing "Pa$$w0rd01" would be incredibly hard because it is long enough and uses enough different characters to increase the key space. It fails because it is easily predictable with out using brute forcing to try every possible password. password is already know to be a common password when allowed. Capitalizing the first letter of a word is something we do commonly so it is easy to remember as part of a password but crackers know to try this. Adding a couple digit(s) to the end is also common. Subbing characters with common replacements is also pretty easy for crackers to figure out.

In all from reading the article I'd expect that none of crackers would have been able to brute force "Pa$$w0rd01" but they all would have hit it pretty early. I'd bet that if "Pa$$w0rd01" was in that list it probably would have been found in the following section which is the first thing he does after his brute force runs.

"It was only then that Gosney turned to his word lists, which he has spent years fine tuning. Augmenting the lists with the "best64" rule set built into Hashcat, he was able to crack 6,228 hashes in just nine minutes and four seconds. To complete stage one, he ran all the plains he had just captured in the previous rounds through a different rule set known as "d3ad0ne" (named after its creator who is a recognized password expert). It took one second to complete and revealed 51 more plains."

With password managers, what do you do when you're on a company computer that's not yours and that doesn't have internet access, and you don't have privileges for installing personal applications.

How do you retrieve your 45-characters-long password to access the external hard drive you just plugged in? Oh and you don't have your smartphone, nor would you be willing to type those characters one by one anyway.

I suspect in that case you're pretty much screwed for the time being.

Not sure if you're trolling or just playing devil's advocate, but obviously if you're on a company computer that does not have internet access, then you have no need (or ability) to access your personal password manager to access personal sites at work.

I'd also argue that the vulnerability footprint is much lower as well, so no need to have a 45-char password on a work computer that is not on the Internet. If you feel the need to use a password manager at work for your work passwords, then use a local password manager like Schneier's Password Safe.

The 25-GPU rig can do approx 350 billion/sec, according to the article. I think 1 trillion/sec isn't a bad benchmark for what you'd want to guard against, esp. going forward unless everyone starts using computationally expensive (memory-hard) hashes. I'm not holding my breath.

Quote:

Look at the screen shot on page 1 of some of the passwords recovered - specifically the length of many of the passwords recovered. Most of them were more than 10 characters long. Virtually none of those were gotten via a pure brute force attack. Hackers have already conceded that pure brute forcing is a dead end approach.

Except for anything len 6 or under, which were pretty instantly broken. Pure brute force for anything longer than 11 or so is likely out the window, even at 1 trillion guesses/sec, but as your password options are restricted (no special chars, caps ignored, damn you Chase!), brute force becomes an option again at higher lengths. A len 11 lower (caps ignored) + num only random string (36^11) can be brute forced in about 37 hrs at 1 trillion guesses/sec. At len 10 (36^10), it barely takes an hour. Which means our financial institutions still look ripe for pure brute force attacks. *sighs*

It amazes me, reading the first 150 or so comments, how many people say "so, the takeaway from this is that I need a different rule for generating my passwords."

NO.

The takeaways are these:-

1. You can't use ANY rule to create passwords. Your passwords MUST BE RANDOM.

No rules, no "clever" tweaks, nothing. Random. Anything one human can think of, another can. We're pretty dumb that way. Passwords must be random.

2. You must be ready and able to change any or all passwords at any time. Therefore, coming up with new passwords (random, remember) must be something you can do quickly and correctly even (especially!) when feeling stressed or exhausted.

How do you achieve these things?

First, let go. Realise that professional cryptographers know more about this stuff than you do, so if you disagree with their advice, you're wrong. Then, stop trying to do something that computers are better at than you are, and realise you need to work to your strengths as a human. Then, realise that you can use a computer to do this for you.

(I'm fairly reclusive by modern standards, and I have upwards of 50 passwords. I only remember two of them, though. Most of them I've never even seen.)

Lots of commenters have given you a hint: "use a password manager". Bruce Schneier's Password Safe, KeePass2, KeePassX, 1Password, LastPass, others... there are several to choose from. You can wait for Ars's next article on passwords, or you can go ahead now. I chose KeePassX and compatible Android and iOS apps, all using device-local copies of the same password register, helpfully synchronised by DropBox. I'm unlikely to lose all four of my computers at the same time. Even if I do, I can download the list onto replacements.

Get a password manager, and set aside a couple of hours to change your passwords. There's one tiny task to go through first.

Having chosen your password manager, you need to protect access to it. Do what cryptographers do: use a passphrase. That's working to your strengths. Phrases are made of words, and humans are evolved to remember words. Peter Bright pointed out in a comment on the piece about Nathan's password cracking adventures that Randall Munroe's four-word phrase is not strong enough. But Peter didn't allow for a trivial adjustment. With five words instead of four, Peter's argument is blown out of the water. Five words are, for humans, a LOT easier to remember than 12 random keyboard characters.

But why stop at five? Five is only just good enough, and words are what people are good at: they're your strength. Go large: use seven words.

Passphrases with seven RANDOMLY chosen words (from a large-enough list) should be infeasible to decrypt for the foreseeable future, allowing for double the current rate of growth in hardware and software capabilities. Not my opinion, that of the professionals.

Seven words are easy to remember. I can remember two sets of seven words, my wife at least one, possibly three or more. If you want some help: having come up with your set of words, recite it to yourself a few times, and write it down a few times. (Shred or burn the paper afterwards.) You won't forget it -- in fact, the odds are good you'll remember a seven-word phrase the next day, even if you just read it once after generating it.

How do you generate a RANDOM sequence of five words. Here's the cryptic hint dropped by other commenters: diceware.

Diceware?? They mean, "go to diceware.com, and follow the instructions there for generating a passphrase." Diceware's method is as valid now as it was in 1996. (If you're a coder, you can cobble up something that uses a large word list and the computer's cryptographically safe source of randomness -- in python, random.SystemRandom() -- but why not take the chance to get away from the keyboard for a while?)

Those takeaways again: for passwords, clever is stupid. The only thing that works is random. Humans can't do random, but computers can. Use a computer, a secure password manager, to manage your passwords. Use a cryptographer-approved method of generating the one passphrase that you need to remember -- a method that works to your strengths as a human.